Aruba Firmware Analysis
I analyzed an Aruba firmware image targeting an ARM32 platform running Linux.
The embedded web server is mini_httpd, with a simple and transparent
architecture. From main(), the server enters an infinite loop, forking a
child process for each incoming request:
while 1
{
child=fork();
if !child
{
handle_request();
exit(0);
}
(...)
}
This fork-per-request model is minimalistic and easy to reverse engineer, making it a suitable target for vulnerability analysis.
Request Parsing and Memory Corruption
The handle_request() function reads data from the socket until it encounters
either "\r\n\r\n" or "\n\n", indicating the end of HTTP headers. It then splits
the input into lines and parses the first line (the request line), which is
expected to follow the standard HTTP format: <METHOD> <URI> <VERSION>,
separated by spaces or tabs.
The parsing logic is as follows:
http_verb = httpLine;
if ( !httpLine )
send_error(400, "Bad Request", "", "Can't parse request.");
separator = strpbrk(httpLine, " \t\n\r");
request_URI = separator;
if ( !separator )
send_error(400, "Bad Request", "", "Can't parse request.");
*separator = 0;
URI = &separator[strspn(separator + 1, " \t\n\r") + 1]; // skip all separator chars
request_uri = URI;
v12 = strpbrk(uri, " \t\n\r");
http_version = v12;
if ( !v12 )
send_error(400, "Bad Request", "", "Can't parse request.");
*v12 = 0;
http_version = &v12[strspn(v12 + 1, " \t\n\r") + 1];// skip all separator chars
http_version[8] = 0; //it was at this moment he knews he fucked up
This implementation assumes the HTTP version string is exactly 8 bytes (e.g.,
"HTTP/1.0"), and blindly writes a null terminator at http_version[8]. However,
if a malformed request such as GET / HTT\n\n or GET / \n\n is sent, the
version string will be shorter than expected, causing the null byte to
overwrite memory beyond the allocated buffer.
Here is the vuln represented with a graphic:
The code search ofr separator, and will place nul byte to split the request in C-strings:
But what happen if we send a request with a really short "version" such as: GET / HTTP\n\n or GET / H\n\n? Where goes the +8?
This results in a classic out-of-bounds write : a memory corruption vulnerability triggered by an attacker-controlled HTTP version field.
Constraints
This vulnerability offers a limited exploitation primitive:
-
It allows writing a single null byte at an offset between
end_of_buffer + 1andend_of_buffer + 6, due to the requirement of terminating the HTTP request with at least two newline characters. -
The buffer is allocated to match the exact size of the incoming request, imposing strict control over memory layout.
-
Exploitation requires careful heap grooming to position a target structure or object immediately after the request buffer.
Buffer allocation
To understand the memory layout, we examine how the server reads and stores incoming HTTP requests.
The main loop reads data in chunks and appends it to a dynamically allocated buffer:
while ( 1 )
{
data_from_socket = read_data_from_socket(buf, 10000u);
buflen = data_from_socket;
if ( data_from_socket < 0 )
break;
if ( data_from_socket > 0 )
{
alarm(10u);
concatdata_realloc_if_needed(
(void **)&incomingdatabuf,
(size_t *)&incomingdatabuflen,
(size_t *)&dataBufferSize,
buf,
buflen);
v7 = (const char *)incomingdatabuf;
if ( !strstr((const char *)incomingdatabuf, "\r\n\r\n") && !strstr(v7, "\n\n") )
continue;
}
goto LABEL_21;
}
The request is considered complete once "\r\n\r\n" or "\n\n" is found. The data
is appended using concatdata_realloc_if_needed():
void *__fastcall concatdata_realloc_if_needed(
void **data_buffer,
size_t *total_buffer_capacity,
size_t *current_data_length,
const void *input_data,
size_t input_length)
{
size_t v8; // r3
size_t v9; // r3
void *result; // r0
size_t v11; // r6
if ( *total_buffer_capacity )
{
v8 = input_length + *current_data_length;
if ( *total_buffer_capacity <= v8 )
{
v9 = v8 + 500;
*total_buffer_capacity = v9;
*data_buffer = realloc_(*data_buffer, v9);
}
}
else
{
*total_buffer_capacity = input_length + 500; // Why 500?
*current_data_length = 0;
*data_buffer = malloc_(*total_buffer_capacity);
}
result = memmove((char *)*data_buffer + *current_data_length, input_data, input_length);
v11 = input_length + *current_data_length;
*current_data_length = v11;
*((_BYTE *)*data_buffer + v11) = 0;
return result;
}
At first glance, the allocation strategy appears safe: buffers are always
allocated with an additional 500 bytes, which should accommodate
http_version[8] even for malformed inputs like "GET / H\n\n".
However, due to the looped appending mechanism, an attacker can precisely control buffer length:
-
Send "GET " -> triggers allocation of 504 bytes (4 + 500)
-
Send the remaining request (e.g., "/a(....)a \n\n") sized to exactly fill the buffer
-
Parser writes a null byte at
http_version[8]-> overflows into the next allocation
In practice, a 504-byte buffer (or any size aligned to 8 bytes) is ideal for heap layout predictability during exploitation.
memory allocator
The target system uses ld-uClibc.so.0, with memory allocation handled by ptmalloc. This allocator stores metadata immediately before each allocated chunk, typically 8 bytes: 4 bytes for the previous chunk's size (used only if the previous chunk is free), and 4 bytes for the current chunk's size, including status flags (e.g. the "in-use" bit).
The heap layout can be abstracted as:
Given the nature of our null byte overflow, only bytes 5-8 (i.e., the size
field of the next chunk) are of interest. Overflowing bytes 1-4 (the
prev_size) has no impact, as the current chunk is marked in-use.
With control over a single null byte, we have two viable manipulation strategies:
Truncate the next chunk's size:
For example, changing a size field from 0x1931 to 0x0031 via null byte overwrite. This reduces the perceived size of the next chunk, which may lead to overlapping chunks during future allocations.
Mark the current chunk as free (clear "in-use" flag):
Overwriting the size field from 0x1931 to 0x1900 clears the in-use flag. This
causes the allocator to believe the current chunk is free, potentially leading
to coalescing with adjacent chunks and breaking the integrity of the
heap: particularly if the prev_size field in the next chunk becomes
inconsistent.
Note: Endianness plays a critical role here, enabling impactful corruption with a null byte targeting the least significant byte of the size field.
All This for Nothing
And so, the story ends: not with a shell, but with a sigh.
Recall the initial fork() in the server loop: each client request is handled in
a fresh child process. That means every request begins with a pristine,
untouched heap. No prior allocations, no fragmentation, no useful state to
manipulate. Just a clean slate: and the overwhelming sense that it's all
been for nothing.
The malloc(input_length + 500) buffer? It's placed at the very end of the
heap space. There is nothing allocated beyond it: no "next buffer," no
metadata to smash, no structures to corrupt. Just void. I tried, desperately,
to craft a request that would align the buffer against the edge of the heap,
hoping to nudge a null byte into unmapped memory. No luck. Silent failure.
Could we massage the heap? Chain requests? Send a first one to allocate and
free, then a second to overflow? Technically, yes. Practically, no. Every
request ends the same way: malformed input triggers an early return from
handle_request(), the child process exits, and everything vanishes. The heap
resets. All effort is wiped clean, like footprints in wet sand.
There's no persistence. No grooming. No next chunk. No victim.
This is memory corruption, yes. but not a vulnerability. Not in any meaningful, exploitable sense. It's an illusion of danger. A twisted idea in an innocent mind.
And after hours spent chasing this ghost through disassemblers and heap traces, I'm left with nothing but logs, broken hopes, and the dull ache of wasted time.
Nothing to see here. Nothing to exploit.
Just a null byte and a void.
I look at myself in the dark reflection of the laptop screen, backlit by hex dumps and disassembly. Pale face, tired eyes, fingers trembling slightly from too much caffeine and too little sleep.
And then the thought creeps in; inevitable, intrusive:
What if someone smarter figures it out?
What if this dead-end isn't dead at all? What if I missed something stupid, something obvious? Some arcane behavior in uClibc's allocator. Some alloc in a forgotten path. Some deeply buried debug handler that takes a pointer and trusts it without question.
It wouldn't be the first time. And it wouldn't be the last. I imagine the exploit write-up on a blog I've never heard of, shared a year from now on some obscure security mailing list. A PoC that works. A screenshot of a shell. A CVE.
Then the cold punch to the gut: my own notes, echoed back at me. Maybe even quoted. As some researcher once said: this is not a vulnerability.
I stare at the code again, forcing my brain to re-read lines I know by heart, searching for meaning in the static.
Maybe the bug is real. Maybe it's not. But maybe it doesn't matter. The screen dims. The terminal blinks, waiting for the next command I won't type. Outside, the world keeps moving. Patches get merged, disclosures get filed, bugs get forgotten.
And me? Just another failed exploit, rotting in a folder no one will ever open.